Weaknesses in Wiegand

In the past, I have identified some problems with biometrics as an element in security systems. On the Wired website, there is a relatively old article describing an attack against electronic physical access control systems, developed by Zac Franken. It exploits the fact that the commonly used Wiegand protocol – used for communication between readers and access control databases – does not perform proper authentication between the access token, reader, and database system. As a consequence, if it is possible to gain physical access to the communication wires, an attacker can record a valid exchange between a real token and the database, then replicate it to grant themselves access. It doesn’t matter if the token is a keycard, a key, or a retinal scan.

The hardware required apparently costs around $10. In addition to allowing an unauthorized user to gain access, the system can also lock out all legitimate users once the attacker is inside.

What this exploit really demonstrates is how successful security requires that every element of a system be robust against exploitation. You could spend thousands of dollars on the best biometric scanners available, only to be foiled by a simple workaround of this type.

This reminds me of the problems of enhanced drivers licenses. Some proposals for EDLs what to place RFID chips in licenses; at border crossings and other places where ID needs to validated, the license is swept against a card reader. The hardware for making a reader is very cheap, and unencrypted information is easily accessed.

RFID has lots of problems, and putting it in passports is especially stupid. It is easy to scan a passport using a physical or optical reader. Making them readable at a distance by radio is just dangerous.

An effective security program is more than just having physical security measures in place. Like any man-made constructs, physical security measures — closed-circuit television (CCTV), alarms, cipher locks and so forth — have finite utility. They serve a valuable purpose in institutional security programs, but an effective security program cannot be limited to these things. Devices cannot think or evaluate. They are static and can be observed, learned and even fooled. Also, because some systems frequently produce false alarms, warnings in real danger situations may be brushed aside. Given these shortcomings, it is quite possible for anyone planning an act of violence to map out, quantify and then defeat or bypass physical security devices. However, elaborate planning is not always necessary. Consider the common scenario of a heavy metal door with very good locks that is propped open with a trashcan or a door wedge. In such a scenario, an otherwise “secure” door is defeated by an internal security lapse.
However, even in situations where there is a high degree of threat awareness, there is a tendency to place too much trust in physical security measures, which can become a kind of crutch — and, ironically, an obstacle to effective security.

In fact, to be effective, physical security devices always require human interaction. An alarm is useless if no one responds to it, or if it is not turned on; a lock is ineffective if it is not engaged. CCTV cameras are used extensively in corporate office buildings and some houses of worship, but any competent security manager will tell you that, in reality, they are far more useful in terms of investigating a theft or act of violence after the fact than in preventing one (although physical security devices can sometimes cause an attacker to divert to an easier target).

Meet Chris Paget, a hacker who believes that people shouldn’t be tagged with RFIDs. He spent a productive day driving around San Francisco, sniffing and cloning mountains of RFID-equipped US passports and driver’s licenses. The equipment to accomplish this feat cost him $250. When we debate the risks associated with RFID-equipped IDs, we usually focus on what happens when the government can follow us around everywhere — but the real risk may be that crooks, marketing creeps and various unaffiliated snoops will do this instead.